The Facebook wake-up call

What’s at stake for the personal data economy

While hindsight is a wonderful thing, there has been a sense of inevitability to the whole Facebook / Cambridge Analytica scandal.

Yes, the liberties taken with user data are shocking, particularly its use by third parties. And more of Facebook’s 2.2billion users will now understand the true depth and nature of the social network’s enormous data mining operation. But that was hardly a secret to anyone who cared to look.

The question now is, will the #deletefacebook sentiment become a defining moment – a shift in our attitudes and understanding when it comes to our personal data?

Perhaps a bigger question, though, is this: will it change the attitudes and approaches of organisations that use our data?

Or will Facebook just end up joining the likes of Equifax, TalkTalk and other corporations on the personal data naughty step?

The EU General Data Protection Regulation (GDPR) is finally almost upon us, and not before time. Now is the perfect moment to learn lessons that go beyond simply staying out of trouble.

Looking back to looking forward

Last year, two Internet of Me interviewees separately suggested that it would take a cataclysmic event to wake the public up to the importance and value of their personal data, and the need to protect it.

Data privacy and cyber security legal expert Theodore Claypoole, a partner at US law firm Womble Bond Dickinson (formerly Womble Carlyle), said it would be like an “Exxon Valdez of privacy”, referring to the enormous 1989 oil tanker spill off the coast of Alaska.

While Facebook’s share price has taken a battering and the mood at Menlo Park is doubtless tense right now, there is no sign that recent events represent such a cataclysm.

Yet.

Because, one thing that’s very clear is that we don’t yet know if there is more, or worse, to come – something acknowledged by Mark Zuckerberg himself in his full page national press mea culpa at the weekend.

Such vast quantities of data have been scooped up and used not just by Facebook but by other third parties, that it could take a while to find out where it has ended up and what it has been used for.

The underlying problem was identified in a particularly prescient comment from that interview with Theodore Claypoole back in August of last year: “It’s all too easy when you’re a Facebook or a Google or another big company to just suck up the data and not tell anybody where it’s going, what they’re using it for, why they have it, why you should be giving it up, why they’re benefiting from it.”

With friends like these . . .

The fact that personal data is routinely scraped, harvested, shared and traded in order to profile, segment, target, re-target, and track internet users – and Facebook is not alone here – is hardly a secret. It’s the scale and carelessness of the data gathering free-for-all in this case that is shocking.

Facebook allowed a British researcher to gather data on its users which, in turn, was used by political consultants Cambridge Analytica for targeted campaign messaging.

It has also blown the lid off the vast data-devouring beast that lies behind the Facebook news feed and the rabbit warren of third party apps beyond that.

It has also blown the lid off the vast data-devouring beast that lies behind the Facebook news feed and the rabbit warren of third party apps beyond that.

Not only did tens of millions of users unknowingly have their data used by Cambridge Analytica, but so did their unwitting friends.

The foundations of the problem will have been laid at the point at which heady startup idealism gave way to hard-nosed business. The point at which the word ‘monetise’ shifted from being a distant notion on the roadmap to being an investor priority.

This is where the much-loved ‘purpose’ of brand evangelists is truly tested. It’s where, for Facebook, the mission statement to “give people the power to build community and bring the world closer together” must become a benefit that converts into real shareholder value.

What does it ad up to?

But let’s hang on for a minute. There’s no identity theft or fraud going on here. There isn’t the direct financial danger posed by the Equifax data breach, for example.

Do people care enough about their data for this to be important to them?

So, what if their data is used to target them with ads? What’s new? And who cares whether those ads are for widgets or a political party? Surely we are already inured to the idea that our data is out there and privacy is dead?

Again, it’s the scale of what’s happening that is sobering. Most people probably would have reservations if they fully understood that their entire online life – and much of their offline one – was being watched and recorded in minute detail 24/7.

It’s interesting to remember that attempts by successive British governments – of both colours – to introduce national identity cards foundered, principally over concerns for civil liberties and security of personal data. They were to include biometric information such as iris scans, facial scans and fingerprints linked to a nationwide ID database. In the end, there wasn’t sufficient appetite for what many saw as a Big Brother state which couldn’t be relied on to keep such sensitive information safe.

Telling people they should take more care with their personal data has the ring of the public health campaign about it

Today, we routinely use such biometrics to access our devices and accounts, while all sorts of neat identity verification technologies remove friction from daily life.

Our phones have gradually become de facto identity cards, and then some. We voluntarily share far more data with private companies than the government ever wanted to get its hands on. Where we doubted the motives and capabilities of elected government, we now choose to place our trust in those companies, and in the flimsiest of regulatory frameworks.

Errant governments are easier to remove than errant corporations.

Meanwhile, telling people they should take more care with their personal data has the ring of the public health campaign about it. It’s taken a very long time and an obesity epidemic to see any real traction on tackling sugary junk food. Our personal data health is a far less tangible concept.

What made the public uncomfortable about national ID cards was that they could have affected access to public services and benefits, and been cross-referenced with criminal and other databases. Who’s to say all that very personal data sloshing around out there won’t end up being put to the same purposes, given no one really knows who’s got it?

The last chance saloon

The fact is, Facebook is great for connecting people and building communities. The user numbers testify to that. Most of the other apps and services we pour our data into every day are great, too. What Facebook is now going through is a cautionary warning for all organisations using our data to put their houses in order. It’s an existential priority, and not just for Facebook.

Here’s what’s at stake. The personal data economy is a thrillingly exciting frontier of innovation and opportunity that is yet to be fully explored. But for too long it’s been a Wild West when it comes to the exploitation of people’s information.

So, this is an opportunity for organisations to put ‘purpose’ into practice. For companies to treat customers’ data with respect. To allow them to share it on their terms rather than dictating the terms under which to take it.

The GDPR means there will shortly be a new sheriff in town. It’s a shame more notice wasn’t taken of this important piece of legislation as it took shape and began its journey towards being a binding reality for any company using personal data to do business in Europe.

Complying with GDPR isn’t a walk in the park, but it actually represents a framework of opportunity for organisations to treat customers, consumers, users – people – with real respect and to build more meaningful relationships with them. To build trust, in other words – something every respectable business should count among its brand values.

So, this is an opportunity for organisations to put ‘purpose’ into practice. For companies to treat customers’ data with respect. To allow them to share it on their terms rather than dictating the terms under which to take it.

The Facebook debacle may or may not turn out to be the feared personal data cataclysm. Let’s hope not. And let’s hope the GDPR and changing attitudes mean we don’t have to wait for the inevitable next data scandal, or the one after that, to do things better.

It’s in nobody’s interest to turn personal data toxic and create a Chernobyl-style exclusion zone where a thriving personal data economy is beginning to flourish.